Welcome everybody to What's the Problem, a show that explores problems that buyers and practitioners in the cybersecurity arena face. Today, we are very lucky to have Marcela Denniston with us. Marcela is a builder of military-grade security teams.
Mike Krass: Marcela, thank you for joining us.
Marcela Denniston: Thanks for having me, Mike.
Mike Krass: Awesome. Well, Marcela, why are you qualified to talk about security? Tell us about that.
Marcela Denniston: Well, I've been in security for roughly 20 years now in the government and commercial sector. I started my career out in the Navy. I was in the Navy for seven years jumped right into a cybersecurity role. Oddly enough, this was during the time when we were seeing some initial activity coming from what we've to call advanced persistent threats, which are basically nation-state actors or governments that are posing a cyber threat to us, so I joined in a very interesting time because this was becoming more prolific in the government. Military space and cyber operations were just starting to boom. They were creating jobs around us in the military and new centers so, I got to be at the forefront of a lot of the development of these organizations and how they were built. So that's where I got my start. Through the Navy, I actually transitioned to working at the national security agency, working in cyber intelligence, again with those advanced persistent threats that we discussed and how they tie back into a lot of the socio-economic problems we have here in the United States after that switch. Transition to working more in the commercial sector, where I've primarily been working at startups and as a consultant and help build out cybersecurity operations, but also understanding the customer and the commercial customer challenges they face. And most recently, I founded my own startup, which was recently acquired. We were primarily targeting the small to the mid-sized business sector for cybersecurity, which is still a fairly new playing ground for cybersecurity. There's a lot of education that's happening in that space right now. So that's my background and my credentials around cybersecurity and why I'm qualified to speak about it.
Mike Krass: Fantastic, Marcela. First of all, thank you for your service. Moving to the next question, name a problem if you actually teased that one about the SMB space. Is that something you want to talk about as a problem in the security world?
Marcela Denniston: Yes, absolutely. It's one of the greatest challenges we're seeing right now, and we're seeing a lot of companies emerging in this space trying to help small to mid-sized businesses with cyber security. So cyber security is becoming much more prevalent today. Every year, cyberattacks grow exponentially, and new methodologies are being used. The latest and greatest that we all hear about is ransomware, and it's actually a problem that a lot of SMBs face. Small to mid-sized businesses face. This is such an issue in this market space, specifically the small to midsize market, because a lot of smaller companies, whether they be very small or mid-size, are starting to adopt new technologies to keep pace with their enterprise counterparts. So, as you know, between the pandemic that we've recently had and the need for more automation, these smaller companies can keep up with the enterprise. They are expanding their technology base. They're expanding their remote workspace, and with that expansion into these new arenas of technologies comes a lot of threats to them. Hackers are very well aware of those threats. They're also very well aware that small to midsize businesses, while they are starting to integrate these new technologies or work from home, they do not necessarily have the know-how, resources, or budgets to address cyber security. And a lot of that has to do with top-level approaches to not understanding ski suite, so a lot of small businesses and mid-sized businesses just don't see cyber security as an issue. They believe they are not targets because who wants data from a small to a mid-sized company?
Mike Krass: I was just wondering that actually.
Marcela Denniston: Yeah, exactly! And the answer to that question is a lot of people want that data for a few reasons. One, it's very easily accessible because they don't have a lot of cyber security in place, so it's easy to hack these smaller companies. The data that we find within these small companies is still very valuable if we look at it just from a financial perspective. There are many motives as to why hackers do what they do, and a lot of this I learned through my time in the government. So one of the primary motives, of course, is financial gain. Since we are so data-driven today, with all of the technologies we have in place, it's very easy for a hacker to hack a small, mid-sized company that doesn't have any security measures in place and take that data and sell it in the dark web.
Mike Krass: I just repeat something back to you. So what I'm hearing is I'm going to say small business as our first example represents a low-hanging fruit opportunity. It might not have any security posture besides whatever Google Business Apps provides for them. And so, even though it's not going to be the Richard Branson, we're going to ransomware Jane's Flower Shop in Pleasanton, California systems, we're not going to be able to buy a Richard Branson Island in the Caribbean. I don't have to battle a security team or security procedures sometimes at all, or whatever is in place actually isn't going to keep me out for very long, if at all.
Marcela Denniston: That's exactly the situation. So it's what we call a soft target. Right? Because it's an easy target to access and a lot of times, it's much easier for these hackers to access ten Jane flower shops and get customer or data addresses, phone numbers, email addresses, credit card information, and sell that information on the Dark Web than it is to try to hack into a large organization such as Target, AT&T or any Fortune 500 organization that may actually have security measures in place. That doesn't mean that they don't hack those companies as well, but the interesting, secondary point would be that these smaller organizations are often used as hop points into larger organizations or even into government organizations. Target is actually a great example of that. It's an old example, but I just mentioned it, so we can talk about it a little bit. Target was actually their point of sale transaction systems were actually hacked through an entry point in their HVAC systems, which is completely unrelated, but basically, the attackers took advantage of a supply chain.v It's what we call a supply chain, which is basically a partner or a vendor that Target is working with, and they utilize an access point. There is a vulnerability to exploit the system and then traverse their way through the network to gain access to the actual point of sale systems within Target. So there are many reasons we would target these smaller to midsize organizations from just a financial gain perspective. The other point here is that they also operate very well as top points into government information for socioeconomic or military purposes and activities. And where we see a lot of that is actually in the government contracting world. We believe we know a lot of government contractors that are very large as well, like the Lockheed Martins of the world and the General Dynamics. But there are hundreds, if not thousands of very small organizations and companies that are government contractors that work directly with the government and so they have to have communication with the government and access to the government system. By accessing those environments and companies that are also sometimes still weak in their cybersecurity, they now have a very easy entry point into much more sensitive government information or at least methods to pivot and work through the networks to gain access to that information as well.
Mike Krass: Now, if I'm Jane, we're back to the flower shop. You're telling me that besides ordering flowers and staffing a shop and doing all these other things, is this now a part of my tech budget? Like, I've got my phone bill, internet bill for the shop. I've got say I use Microsoft 365, and I got Outlook and Calendars. I now need to budget some money for something to do monitoring and threat detection response, or what is Jane supposed to do here?
Marcela Denniston: Right! And it's interesting in this small mid-market space because it needs to be very specific to the organization's needs, and that's really the biggest recommendation that I can make. You really need to understand your risk as a company because Jane's flower shop necessarily doesn't have tons of risk. But there is some risk there that they can very easily start to mitigate by looking at the technology I am using. What are my vulnerabilities or access points? And what are the most likely ways that a cyberattack could affect me? And the important reason is that as a small business like Jane’s Flower Shop, if you do get hit with a cyberattack, there's a good chance that it could actually close down the doors of your business altogether. Because between fines, penalties, and just recovering, it can be very difficult and financially trying. So for a situation like a Jane’s Flower Shop, we would typically recommend looking at what systems you're using, what technologies you're using, and at least implementing some basics. So a Jane's Flower Shop probably has a point of sale transactions. They're probably holding some level of customer information. A lot of this is taken care of from a security perspective, from whatever vendors you're using, but I would say it's really important to understand the vendors you're working with you have some sort of security. And that sometimes will require reading the fine print. Second, just some very basic cyber hygiene, which is essentially using your ability to have employee awareness, very basic training for your employees, and having endpoint detection on whatever systems are being utilized by your employees and yourself. Those are already some great entry points. If you have a storefront with a basic firewall that filters out some of that activity, it filters out your employees' ability to go to websites that they shouldn't be going to. And then last but not least, the most important thing right now is the ransomware attacks that we're seeing with these small businesses because the ransomware attacks are really prominent. Those are the ones that are right now the most crippling to SMBs because they'll encrypt your data, and once your data is gone, recuperating that or having to start to build it from scratch is going to be very difficult. So one of the things that I most recommend in that scenario is having a strong backup system where you are backing up your data; it's being stored in a secure place that's not on your network. That way, if you do get hit with a ransomware attack and they hold your data ransom, you still have access to your business operations, and you don't have to shut down your doors for a week while you rebuild the entire infrastructure.
Mike Krass: Before we get to our final question, just a quick follow-up because we've been talking about Jane a lot, and we've been focused on Jane's small business. But you did say SMB, so mid-size business as well. Do you have the same recommendations for a mid-sized business? Say, a business local to me is like Richard's Waste Disposal. I bring them up because their tagline is business stinks, but it's picking up, and I think that's hilarious. As their trash company, they're about 150 employees, probably about $10 million business with city contracts. They're a mid-size business. Same recommendations to Richard's Disposal, or is there anything extra you would add on?
Marcela Denniston: No. As your organization gets bigger, you do need to take cyber security more seriously, and that's why it's important to start when your organization is small because it's a lot easier to scale than it is to start from scratch once you're at a specific size. So for a mid-sized organization, I would take a much more measured approach because you're dealing with more customers, you're dealing with more revenue, and you're dealing with more employees, which means your tax surface is increased. So the best practice here is to really identify cyber compliance or cyber standard that you want to meet, or that's maybe required of you already to begin with, just based on whatever sector you're operating in. So health care, for example, they have specific compliance standards that they have to abide by. And I would say the starting point should be to understand what that compliance standard requires to pick a maturity level that you want to be at. From a cyber operations perspective, there's a maturity level that ranges from what we call, like, an initial capability all the way up to optimize where everything is very automated and easy to use, and kind of operates on its own. We don't really see that very often; that's much more of an enterprise-level capability. But you pick what you want to be at. You identify: this is where I need to be, and then you go through that compliance standard, and you really check off all the boxes to make sure that you fit into all of those specific components of cybersecurity, identify what your gaps are, and then make a plan to get to that endpoint within a given status time. So it's not any different than setting business goals. Right? Cyber security should be a part of your regular operations, and it should be a part of your business goals when you are a mid-sized company. Because at the end of the day, if you get attacked, it will cost you money. It's going to take time to remediate. It's going to affect your brand, and it very well may affect you from a fine perspective, and you may be held accountable from that point on to the executives and the board if you were the one that was responsible for the infrastructure, to begin with. So it's best to be proactive and be prepared for that attack versus not being ready and then having it hit it and then potentially having to shut down business operations.
Mike Krass: Thank you so much. It's been a pleasure hearing your experience over two decades of experience as a practitioner, both from the private and the public sector, as an entrepreneur as well as a leader within your current capacity. Let's finish with this final question. Tell us about your worst haircut.
Marcela Denniston: Yes, the haircut. So I have been very fortunate to not have to experience very many awful haircuts. But I lived in Abu Dhabi for two years, and so, of course, when I arrived, I needed to get a new hairstylist. If you know anything about Abu Dhabi, local women there often wear headdresses, so their hair is covered. And I requested some advice from one of the local ladies on where I should go get my hair cut and admittedly did not see her hair cut. I went into the shop and requested some highlights and a haircut, and needless to say, I walked out looking like Corella, with very black and white looking hair mixed colors. We're. It was not what I had asked for and a haircut that I basically had to get three haircuts within the next four months to get fixed. So that was probably my worst haircut experience. I learned my lesson very, very quickly, but luckily, I haven't had to experience too many more of those in my life.
Mike Krass: The military is tough. One of our previous guests here, Ebony Hall, was in the US Army in an IT capacity, and she had a similar issue. She asked for a star to be cut into the side of her head, and it did not come out as a star or anything. I'm noticing a trend here in the armed forces that we just have had a hard time getting haircuts up in there.
Marcela Denniston: That's true. And I was smart enough before I went to boot camp, where everybody gets a not-so-great haircut. I actually cut my hair before I went to boot camp, knowing that we were not going to get the best haircut while I was there.
Mike Krass: Awesome. Well, we survived the haircut. Marcela, again, thank you so much for joining us.
Marcela Denniston: Thank you, Mike.
Marcela Denniston is a security engineer, entrepreneur, and marketing leader with a background in the public and private sectors. A security practitioner for more than two decades, Marcela began her career in cybersecurity with the United States Navy and then the National Security Agency (NSA) before moving on to the private sector to work for companies such as Visa and ShieldX before starting, scaling, and selling her own cybersecurity business. Today, she is the SVP of Marketing at Foresight Security.